LISTSERV - NCSG-DISCUSS Archives

On Mar 13, 2015, at 10:06 PM, Tapani Tarvainen <[log in to unmask]> wrote:

> Please add my name as well.
> 
> -- 
> Tapani Tarvainen
> 
> On Fri, Mar 13, 2015 at 02:54:52PM -0400, Nicolas Adam ([log in to unmask]) wrote:
> 
>> Please add my name also. Good work.
>> 
>> Nicolas Adam
>> 
>> On 13/03/2015 2:11 PM, Kathy Kleiman wrote:
>>> 
>>> 
>>> Dear All,
>>> 
>>> Attached please find an important set of comments. They are to the
>>> Whois Accuracy Pilot Study Report – by a group of researchers at
>>> the University of Chicago called NORC. Buried in this report turns
>>> out to be a many issues important to us in the Whois domain name
>>> registration databases – including the question of postal
>>> addresses (should we be validating and publishing the physical
>>> addresses of political dissident groups, religious minorities,
>>> girls’ schools in areas where many do not like girls education?Is
>>> there a danger to be evaluated *before* we undertake this new
>>> policy?)
>>> 
>>> Identity Validation is a very open question as well, yet NORC
>>> seems ready to start work in this area. I have written a set of
>>> questions that say STOP – and let’s consider the policy
>>> implications of these acts before we develop plans to put them
>>> into effect. The comments are below (with a full copy attached).
>>> 
>>> *They are due tonight!If you can sign on, please do. Please let me
>>> know your name and/or organization and/or country.*
>>> 
>>> **
>>> 
>>> Great tx to Stephanie Perrin for editing! Here are some thoughts
>>> of members on our Policy Committee:
>>> 
>>> -Kathy’s drafted, what I believe to be, an excellent comment in
>>> response. – Amr Elsadr
>>> 
>>> -Great job Kathy!!  I support this document.  -- Stephanie Perrin
>>> 
>>> -Feel free to add my name as endorsing the document – Ed Morris
>>> 
>>> Best and tx!!
>>> Kathy (Kleiman)
>>> 
>>> *
>>> WHOIS Accuracy Pilot Study Report*
>>> 
>>> Burying Extremely Divisive Policy Questions in a Technical
>>> Implementation Report Written by an ICANN Contractor is Improper
>>> and, in this Case, Dangerous
>>> 
>>> 
>>> These are comments written in response to the WHOIS Accuracy Pilot
>>> Study Report. Buried in this Report – which purports to be an
>>> implementation report of an ICANN Contractor (NORC/University of
>>> Chicago) -- are some of the most controversial and unsettled
>>> issues in ICANN policy discussions and history. These issues are
>>> the subject of deep and bitter divides over many years of ICANN
>>> work, the subject of interest across the world, and the focus of a
>>> series of explosive comments in Singaporewhen the ICANN Community
>>> began to realize what was happening.
>>> 
>>> 
>>> It is inappropriate in the extreme, for ICANN policy issues to be
>>> buried in a ICANN Contractor’s implementation report, and even
>>> further, deep in its Appendix B,/Next Steps for the Development of
>>> the WHOIS Accuracy Report System (ARS). /This follows pages of
>>> study “methods and approach” language and sample design which are
>>> obscure even to those who follow Whois policy issues on a regular
>>> basis.We submit that after the many years of heated controversy
>>> over this topic, it is disingenuous at the very least to allow
>>> this to happen policy debate to continue its development in this
>>> manner.
>>> 
>>> We are deeply concerned that ICANN Staff has not flagged this
>>> Report, or this Comment Proceeding, for what it appears to be – a
>>> process to seek permission from the ICANN Community for the:
>>> 
>>> a)*wholesale checking of the physical addresses of online speakers
>>> across the world (whether using domain names for political speech,
>>> personal speech, or religious, ethnic or sexual minority
>>> expression)*thus creating an unprecedented inextricable link
>>> between a speaker and her physical location, and
>>> 
>>> b)*the**radical new concept of Identity Validation for each and
>>> every domain name Registrant to the ICANN Community, *a concept
>>> with inconceivable implications for political, ethnic and
>>> religious minorities worldwide, as well as entrepreneurs, emerging
>>> organizations and those operating today without identities who
>>> seek to create them.
>>> 
>>> We respectfully add the issues below to this debate.
>>> 
>>> *I.**ICANN has never been given a mandate for Address Checking on
>>> a Massive Scale*
>>> 
>>> Although the Contractor’s Report seems to suggest that the ICANN
>>> Community has approved the massive checking of postal addresses in
>>> the existing gTLD Whois databases, that is not the case.
>>> 
>>> 
>>> A.The Whois Review Team Final Report set the standard of
>>> “contactability” -- reaching the domain name registrant with
>>> questions and concerns – not absolute accuracy of all data in the
>>> whois
>>> 
>>> The Current NORC Study (2014) and its accompanying ICANN Staff
>>> Summary accompanying this NORC’s Pilot Report misrepresent the
>>> WHOIS Policy Review Team Final Report and its Recommendations. The
>>> goal of the Whois Review Team was “Contactibility” and
>>> “Reachability” of the Registrant. To this end WHOIS Policy Review
>>> Team Final Report looked “holistically” at the Whois record and
>>> did not seek the accuracy of each and every element of a
>>> Registrant’s Whois record.
>>> 
>>> 
>>> Specifically, the NORC Report of 2009/2010 (an earlier report
>>> called the NORC Data Accuracy Study) created five categories for
>>> ranking the data quality of a Whois record: *Full Failure*
>>> (overwhelmingly inaccurate); *Substantial Failure* (most data
>>> inaccurate); *Limited Failure* (data to some degree present and
>>> considered useful); *Minimal Failure* (may benefit from additional
>>> information, but data provided is accurate) and *No Failure *(data
>>> complete and accurate).
>>> 
>>> */
>>> The Whois Review Team called for ICANN to significantly reduce the
>>> number of “Full Failure” and “Substantial Failure” Whois Records
>>> --- Avoidance of “No Failure” was not a goal at all./*As shared
>>> many times in meetings of the Whois Review Team and members of the
>>> ICANN Community, including the GAC, what the WHOIS Review Team
>>> recommended was that Whois information be sufficiently available
>>> and accurate for the Registrant to be reached –for legitimate
>>> technical, administrative and other questions: [Recommendation]
>>> “*6. ICANN shouldtakeappropriatemeasurestoreduce thenumberofWHOIS
>>> registrationsthatfallintotheaccuracygroupsSubstantial Failureand
>>> Full Failure(asdefinedbytheNORCDataAccuracyStudy,2009/10)by50%within12months
>>> andby50%againoverthefollowing12months.*”
>>> 
>>> 
>>> Thus, for the Whois Review Team, “No Failure” (full accuracy of
>>> all fields) was */not the goal/*;“contactability” and
>>> “reachability” of Registrants was.
>>> 
>>> 
>>>       B. 2013 Registrar Accreditation Agreement
>>> 
>>> 
>>> The WHOIS Review Team Final Report noted that efforts were already
>>> underway to improve accuracy and contactibility of Registrants in
>>> the then-pending “direct negotiations with Registrars on revisions
>>> to the RAA.” These negotiations resulted in the 2013 RAA which
>>> furthered the goal of reaching Registrants through verified phone
>>> numbers and email addresses:
>>> 
>>> 1.f : “Verify:
>>> 
>>> i.the email address of the Registered Name Holder (and, if
>>> different, the Account Holder) by sending an email requiring an
>>> affirmative response through a tool-based authentication method
>>> such as providing a unique code that must be returned in a manner
>>> designated by the Registrar, or
>>> 
>>> ii.the telephone number of the Registered Name Holder (and, if
>>> different, the Account Holder) by either (A) calling or sending an
>>> SMS to the Registered Name Holder's telephone number providing a
>>> unique code that must be returned in a manner designated by the
>>> Registrar, or (B) calling the Registered Name Holder's telephone
>>> number and requiring the Registered Name Holder to provide a
>>> unique code that was sent to the Registered Name Holder via web,
>>> email or postal mail.
>>> 
>>> As with the Final Report of the Whois Review Team, the goal of the
>>> 2013 RAA was “contactability” and “reachability” of the domain
>>> name Registrant for technical or administrative questions by third
>>> parties.
>>> 
>>> C.Where Did the “No Failure” Standard Come From for NORC – the
>>> Validation and Verification of Each and Every Whois Element
>>> Without Policy Processes or Assessments of the Risks and Harms?
>>> 
>>> Consistent with the Whois Review Team Final Report and the 2013
>>> RAA, we can understand the NORC methodology and approach to
>>> checking email addresses and telephone numbers – but postal
>>> address validation?Where is the underlying GNSO Policy driving
>>> this direction to NORC from ICANN Staff?
>>> 
>>> */Where is the assessment of the risks and benefits of updating
>>> the physical addresses of hundreds of millions of political,
>>> personal, religious, ethnic and sexual speakers – including
>>> dissidents, minorities and those discriminated against by the laws
>>> and customs of various regions?/*Where is NORC evaluating the
>>> wholesale and massive verification of postal address in the
>>> existing gTLD WHOIS databases without such an assessment?How did
>>> ICANN Staff come to direct it?
>>> 
>>> 
>>> The NORC Contractor seems to have jumped from the logical –
>>> checking email and phone – to checking physical addresses. But
>>> this leap from an open and undecided policy question to a mere
>>> implementation issue should be disturbing to everyone in the ICANN
>>> Community. What we know from history and the most tragic of recent
>>> events is that speech and physical location are a dangerous
>>> combination.
>>> 
>>> 
>>> When individuals armed with automatic rifles wish to express their
>>> disagreement with the legal speech of a satirical magazine, they
>>> find the location in Parisand kill writers, publishers and
>>> cartoonists. When they want to express contempt for those
>>> practicing another religion, they bring their guns to kosher
>>> grocery stores in Parisand synagogues in Copenhagen. Tracking down
>>> and beheading Christian minorities is a horror of daily life in
>>> some parts of the world.
>>> 
>>> 
>>> The UN Declaration of Human Rights, adopted in 1948, states:
>>> 
>>> * Everyone has the right to freedom of opinion and expression; this
>>>   right includes freedom to hold opinions without interference and
>>>   to seek, receive and impart information and ideas through any
>>>   media and regardless of frontiers.
>>> 
>>> 
>>> It does not say that everyone must put their address on that
>>> speech. Where, as here, the Internet has become the major path of
>>> communication for that speech, the requirement of a physical
>>> address for every speaker may well violate the requirement of the
>>> right to speak and the protection for that expression.
>>> 
>>> 
>>> Further, the validation of postal addresses represents a major
>>> change of policy – one not mandated or requested by the Whois
>>> Review Team, the 2013 RAA or by any Policy-Development Team we
>>> know of.
>>> 
>>> Who has evaluated the impact and dangers of wholesale adoption of
>>> postal address validation of the long-existing gTLD Whois
>>> databases– especially in a world that has changed dramatically in
>>> the last few years – where entire governments have risen and
>>> fallen, where formerly free countries and regions are enslaved by
>>> terrorist organizations and a new set of dictators? While
>>> proxy/privacy registrations are available, */they are a costly
>>> luxury for many and completely unknown to others/*.
>>> 
>>> 
>>> The mandatory validation of the massive number of postal addresses
>>> in the gTLD Whois database – as appears to be the policy proposal
>>> buried between methodology and sample sizes in the Contractor’s
>>> report -- will result in the dangerous, harmful, even
>>> life-threatening exposure of those using their domain names for
>>> nothing more than communicating their ideas, concerns, political
>>> hopes, and religious meetings via private streams of domain name
>>> communications, such as on listservs and email addresses, and more
>>> public resources including websites and blogs.
>>> 
>>> 
>>> No policy we know has ever directed ICANN Staff to instruct a
>>> Contractor to engage in massive Postal Address Validation – and no
>>> policy development process we know has studied, weighed, debated
>>> or valued the enormous impact to speech and expression of going
>>> back over 25+ years of domain names registrations to suddenly
>>> “correct” the postal address and thereby expose battered women’s
>>> shelters, women’s schools in Pakistan, pro-democracy groups,
>>> family planning groups and LBGQT locations worldwide.
>>> 
>>> 
>>> If this is the policy we in ICANN choose to adopt in the future
>>> (as we certainly have NOT adopted it already), then it will
>>> require enormous amounts of preparation, notice and warning to
>>> gTLD domain name
>>> registrants on a global scale. Absent that, we know (without doubt
>>> or hyperbole) that ICANN will have blood on its hands.
>>> 
>>> Overall, ICANN’s Contractor NORC seems to have jumped into
>>> policy-making, not mere implementation.
>>> 
>>> *
>>> II. ****Identity Validation – Really? *
>>> 
>>> 
>>> Buried deep in Appendix B, of the Contractor’s Report, behind
>>> “syntactic accuracy” and “operational accuracy” is the explosive
>>> issue of “exploring accuracy from an identity perspective” (page
>>> 45).
>>> 
>>> At no time has ICANN ever held a Policy Development Processes on
>>> Identity Validation. Accordingly, where does this guidance from
>>> ICANN to its Contractor to explore identity validation
>>> implementation come from?For those who attended the public Whois
>>> meeting in LA, this issue certainly was not flagged in the
>>> discussion; for those who attended the public meeting in
>>> Singapore, this issue was introduced and IMMEDIATELY FLAGGED as
>>> intensely controversial and divisive.
>>> 
>>> 
>>> Identity validation of those engaged in freedom of expression,
>>> publishing and political discussion is a deeply controversial
>>> prospect – and one with heartfelt objection and opposition
>>> grounded in history and law. The United States, for example,
>>> sought to be free of Englandin part because of the mandatory
>>> licensing of its printing presses – and the arrest of all who
>>> published objections to actions of the English crown. Pamphlets
>>> issued without names and addresses are not just a cultural right
>>> in the US, but a constitutional one./McIntyre vs.
>>> //Ohio//Elections Commission, 514 //U.S.//334 (US Supreme Court,
>>> 1995). /
>>> 
>>> 
>>> A.The GAC asked for a weighing of the risks and benefits
>>> 
>>> We note that the GAC has not issued policy in this area. According
>>> to the “Brief Overview” provided by ICANN as introduction to this
>>> Contractor Report and this public comment period, the GAC “asked
>>> for an assessment of the feasibility, costs and benefits of
>>> conducting identity validation as part of the development of the
>>> ARS.”
>>> 
>>> 
>>> Nowhere in this report do we see any assessment of the costs,
>>> delays, risks and harms that might be incurred by gTLD
>>> Registrants, Registrars and Registries worldwide if identity
>>> validation were adopted. Nowhere do we even see an analysis of how
>>> identity validation takes places, what happens when a minority
>>> seeks to register, or when a speaker must disclose and show her
>>> identification as the cost of signing up for a domain name
>>> highlighting family planning, women rights, or women’s education
>>> in parts of the world not as conducive to these fundamental rights
>>> and basic principles. Must she go through her father for this too?
>>> 
>>> 
>>> B.ICANN has promised a policy making process.
>>> 
>>> In his response to the GAC on this issue, Dr. Crocker noted concerns:
>>> 
>>> The costs of operating the Accuracy Reporting System are largely dependent
>>> 
>>> upon the number of WHOIS records to be examined, as well as the level of
>>> 
>>> validation (syntactic, operational, or identity). For example, the initial
>>> 
>>> responses to the ICANN RFP reveal that identity validation
>>> services are both
>>> 
>>> costly and difficult to administer on a global basis. */There may
>>> also be data/*
>>> 
>>> */protection and privacy issues of concern to the community when
>>> conducting/*
>>> 
>>> */extensive identity validation on WHOIS records./*Hence, the costs of
>>> 
>>> completing the development of Phase 3 will be determined based on
>>> 
>>> engagement with the community to identify the appropriate level of
>>> identity
>>> 
>>> validation for ICANN to conduct, as well as the costs associated with
>>> 
>>> performing identity validation on a global scale. (https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf,
>>> emphasis added.)
>>> 
>>> 
>>> As always, policy development must proceed implementation. We call
>>> on ICANN to take this discussion out of the recesses of a
>>> Contractor report, and into the light of the policy development
>>> process.
>>> 
>>> *
>>>       III**. Wide Outreach Needed*
>>> 
>>> One thing the Whois Review Team did note in its Final Review is
>>> the need for clear and concerted outreach on issues that impact
>>> the Whois: “We found great interest in the WHOIS policy among a
>>> number of groups that do not traditionally participate in ICANN’s
>>> more technical proceedings. They include the law enforcement
>>> community, Data Protection Commissioners, and the privacy
>>> community more generally.”The Whois Review Team’s recommendation
>>> specifically call for active and concerted outreach to these
>>> communities of its issue:
>>> 
>>> */Recommendation 3 - Outreach /*
>>> 
>>> ICANN should ensure that WHOIS policy issues are accompanied by
>>> cross-community outreach, including outreach to the communities
>>> outside of ICANN with a specific interest in the issues, and an
>>> ongoing program for consumer awareness.
>>> 
>>> 
>>> That has clearly not happened here – when so much of substance is
>>> buried so deeply in the back of a report. When will ICANN be
>>> undertaking clear, robust global Outreach on these important
>>> freedom of expression and privacy issues and implications?
>>> 
>>> *
>>> IV.**Finally, let’s Add Policy Staff and Freedom of Expression and
>>> Data Protection Expertise*
>>> 
>>> We ask that an ICANN Staff deeply steeped in data protection and
>>> freedom of expression laws and rights be brought on to work on the
>>> development of these address and identity issues. We understand
>>> that ICANN feels previous backgrounds of its staffers do not limit
>>> their activities, but the perception and reality of this issue
>>> would be considered much more balanced if the ICANN Staffers of
>>> the project hailed from an array of backgrounds and had
>>> represented multiple sides of this issue in their prior lives.
>>> 
>>> *
>>> V.**Conclusion*
>>> 
>>> We can’t bury wholesale physical address checking and the new
>>> concept of identity validation in the back of a Contractor Report.
>>> These are NOT policies examined or endorsed by the whole of the
>>> ICANN or even the GNSO communities, nor policies evaluated yet by
>>> the whole of the ICANN Community. The risks and benefits must be
>>> assessed before the implementation is planned.
>>> 
>>> 
>>> Signed,
>>> 
>>> 
>>> MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP
>>> [name, and/or organization, and/or country]
>>> 
>>